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Abstract 

Easy  prooft  are  ghren.  of  the  impossibility  of  solving  several  consensus  problems  (Byzantine  agreement,  weak 
agreement,  Byzantine  firing  squad,  approximate  agreement  and  dock  synchronization)  in  certain 
communication  graphs,  it  bshowa  that,  in  the  presence  of  m  fed*  i»  solution  to  theee  problems  exittsfr 
communicntkmgraphs  with  fewer  than  3m+l  noda  or  1m  dm  2m+ 1  connectivity.  While  some  of  time 
results  had  previously  been  proved,  the  new  prooft  are  much  simpler,  provide  considerably  more  knight, 
apply  to  more  general  models  of  computation,  and  (particularly  in  the  case  of  dock  synchronization) 
significantly  strengthen  the  results. 
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Each  of  our  prooft  is  ao  argument  by  contradfction.  We  assume  that  a  given  probiem  can  be  solved  in  a 


satisfy  the  correctness  condMons  for  the  givea  problem,  although  they  are  required  to  do  so.  Vendees  of 
maay  of  the  resuks  wo*  already  known.  wife  prooft  of  this  same  geoerai  form.  Our  prooft  differ  from  the 
earlier  nrooft  in  ttotthnhme  tee  ernes  eeemnet  team  afhdhmfcire.  ftp«Mt>nhiMih«iMiW  »wi  mmHw 
ronioreggnanlaMdefeefdMhNDdcoNpacitiafc 

ForByzantiMagrecnient,bothbauadi  warn  already  known  fPSUQl  The  3m  +  l  node  lower  bowed  h 
1PSL1  was  proved  oely  for  a  particular  synchronous  modd  of  campy lation  Although  cswftttiy  dope,  lha 
proof  is  somewhat  complirased  and  not  m  intuitive  as  ooe  might  Mm.  bi  contrast,  our  proof  h  simple  and 
transparent,  and  applies  to  general  models  of  computation.  A  proof  of  the  2m  +  1  connectivity  lower  bound 
was  presented  informally  in  (D)*,  wc  prove  that  bound  more  formally  and  for  more  general  models. 

For  weak  Byzantine  agreement,  the  requirement  of  3m  +  1  nodes  was  known  (L4  but  was  proved  using  a 
complicated  construction.  The  new  proof  is  easy  and  mends  to  men  general  models  (akhough  not  as 
general  as  those  for  Byzantine  agreement  sad  ippresimms  sgrrieatut).  Tbs  2m  +  1  connectivity 
requirement  wu  previously  unknown.  The  result  for  the  Byzantine  firing  squad  problem  fofioau  from  a 
rcaucuon  d  wees  sufecfnem  n  (UMg  wc  proviae  a  direct  proof,  rorspp?®mMe  agreement,  me  jm  + 
1  bound  was  noted,  but  not  proved,  in  fDLPSWL  while  the  2m  +  I  connectivity  requimnent  was  prcvhnuly 
unknown. 

For  dock  syndmxtizatioa,  the  3m  +  1  node  bound  was  proved  in  [DHS],  with  a  compticatod  proof.  The 
authors  of  (DHSJ  also  dabned  that  they  know  how  to  prove  the  corresponding  2m  +  1  connectivity  lower 
bound,  but  wa  presume  that  such  a  proof  would  also  be  complicated.  We  prove  both  lha  3m  +  1  node  and 
the  2m  +  1  connectivity  bounds,  for  a  much  more  general  notion  of  dock  synchronisation  than  in  (DHS). 
i  new  lyncurowynon  ooum  murk  uta i  mere  s  no  ora  way  hock*  mm  ws  pmmgs  m  a*n» 
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2. A  Model  of  Distributed  Systaws 

In  order  to  Aide  die  bnpossfctiity  results  dear,  concise  and  general  we  introduce  a  simple  modd  of 

distributed  system*. 

A  row— lestisa  graph  i»  «  directed  graph  O  with  node  set  aede^G)  end  edge  set  edgcs(G).  such  that  the 
directed  edges  occur  in  pairs;  edge  (u,v)  €  edgcs(G)  if  and  only  if  (y,u)  €  edges(Gl  (We  conskterapair  of 
directed  edges  rather  dun  a  single  undirected  edge  in  aider  to  modd  (he  coawnunicadon  in  cadi  direction 
separately).  We  call  die  edge  (tt,v)  an  owtedge  of  u,  and  aa  hedge  of  v.  Given  Uasubeetof  nodes(G).  the 
snberaph  Gy  induced  by  U  h  Ac  graph  containing  ah  the  nodes  in  U  and  afl  die  edges  between  nodes  fat  U. 
The  inedge  border  of  Gy  b  the  set  of  edges  toom  nodes  outride  U  into  U;  (hat  is.  edgcs(G)  H  ((nodcs(G)\U) 
XU) 

A  system  <j  b  a  communication  graph  G  with  an  assignment  of  a  device  and  <ui  input  to  each  node  of  G. 
Devices  me  undefined  primitive  objects.  The  specific  inputs  we  consider  are  encodings  of  Booleans,  real 
numbers  or  redHrahicd  (Unctions  of  time  (04.  local  docks).  The  particular  type  of  input  depends  on  the 
agreement  probtan  addressed.  If  a  node  b  assigned  device  A  in  system  9.  we  say  that  the  node  runs  A.  A 
rahysWmHAoffl  b  any  subgraph  Ou  ofG  with  the  associated  devices  aod  inputs. 

Every  system  g  has  a  system  behavior,  f.  which  b  a  tuple  containing  a  bchavier  of  every  node  and  edge  in 
G.  (We  also  describe  I  hi  behavior  of  the  communication  graph  G.  Note  that  a  system  has  exactly  one 
behavior,  whfle  a  graph  may  have  several  depending  on  the  devices  and  inputs  assigned  to  the  nodes.)  The 
restriction  of  a  tytton  behavior  f  10  die  behaviors  of  the  nodes  and  edges  of  a  subgraph  of  G  brim 
scenario  Cy  of  Gu  in  t. 

For  now,  we  teke  node  and  edge  behaviors  m  primitives.  In  more  concrete  and  familiar  models,  a  node  or 
edge  Mmrior  aribbt  be  a  flAte  ar  Make  sequence  of  states,  or  a  mapping  from  the  positive  reals  to  some 
strttsci  denoting  state*  a  faction  of  time.  (Wc  use  the  latter  interpretation  fur  later  results).  LcmtatBiar 


ioac«|wet  kie&avioc«  as  mapfri^  Anm  J«als4»4stacak  or  foiai  ttwislimce  ordinals  «o  ataim.  To 
ototata  emfo*wsulmtfKprrei»c  mierpretauun  of  node  and  edge  bch^  We  need  only 

restrict  our  nwdd  so  that  the  Wto  wing  two  axioms  hold.  (We  assume  these  two  axioms  throughout  the  paper. 
Some  of  the  taler  results  require  additional  assumptions.) 

Loarity  Axiom  LttQ  and  Q*  be  systenn  with  behaviors  8  and  ff.  respectively,  dfarfisonioipbfc  subsystems 

Hi  and  Hi’,  (with  vertex  sets  U  and  U*).  If  die  corresponding  behaviors  of  the  taedpe 
borders  of  U  and  IPia  8  and  8*  are  identical,  then  scenario!  8y  and  8y  arc  identical 

At  heart,  the  Locality  axiom  says  feat  oommuricadon  only  takes  place  over  the  edges  of  the  communication 
graph.  In  particular,  it  expresses  the  following  property:  The  only  parameter!  affecting  the  bdurvior  of  any 
local  portion  of  a  system  are  the  devices  and  inputs  at  each  local  node,  together  with  any  information 
incoming  over  edges  (handle  remainder  of  the  system.  If  them  pammeten  are  the  same  to  two  behaviors,  the 
local  behaviors  (scenarios)  are  the  same^Cleariy.  some  such  locality  property  must  hold,  or  agreement  is 
trivially  achievable  by  having  devices  read  other  device's  inputs  directly. 

Farit  Axiom  *  Let  A  be  any  device.  Let  ErJEi  bed  edphehavion,  such  that  each  E,  is  the  behavior  of 
the  rthoutedge,  in  some  system  behavior  ?,ofa  node  running  A.  Let  u  be  any  node  with 
doutedges(u.v1X~4u,v4).  There  is  a  device  F  such  that  in  any  system  in  which  u  runs  F, 
the  behavior  of  earii  outedge  (u,Vj)  is  E^. 

In  this  case,  we  write  FA(El^_E<J)  for  F.  This  axiom  exprcaes  a  powerful  masquerading  capability  of  failed 
devices.  Any  behavior  exhibited  by  a  device  over  different  edges  in  different  system  behaviors  can  be 
exhibited  by  a  foiled  device  in  a  single  system  behavior.  When  this  axiom  is  significantly  weakened  (say,  by 
adding  an  unforgeabie  signature  assumption),  the  following  mpomibUity  results  do  not  bold  (LSP.PSLJ. 

In  order  to  establish  die  relevance  of  our  impossibility  results  to  more  concrete  models  of  distributed 
systems,  it  is  sufficient  to  interpret  our  definitions  in  the  particular  model  and  then  to  prove  die  Locality  and 
Fault  axioms. 

Our  proofs  utilize  the  graph-theoretic  notion  of  a  covering.  For  any  graph  G,  let  neighbors  =  {(u,V)  |  u  is  a 
node  of  G  and  V  is  the  set  of  ail  nodes  v  such  that  there  is  an  edge  from  v  to  u  in  G}.  A  graph  S  covers  G  if 
there  it  a  mapping  f  from  the  nodes  ofS  to  die  nodes  of  Gthat  preserves  "neighbors."  That  is,  if  node  u  of  S 
has  d  neighbors  v^Vj,  and  p(u) »  w  for  a  nodew  ofG,  then  w  has  d  neighbors  Xj_*x4  and  f(Vj)  *  ijfor  1 
£i£d.  Under  such  a  mapping,  S  looks  locally  like  G. 


^F#r  nmk  msm  wA  the  Mag  iqaad  problem,  we  need  to  wneatf  tWi  loedky  property  to  iadudi  time,  ■  wri. 


a  Boolean  input  aod  chooses  1  or  0  as  a  result  (To  model  choosing  a 
CHOOSE  from  behavior*  of  nodes running  agreement  devices  to  the  act 
a  behavior  tofC  if  node  u  runs  Au  in  €.  Any  system  behavior  8  of  G  in 
whidt  at  least  s*m  note  arecorrcttiMco^  Correct  system  behaviors  must  satisfy  the 

foBowingcooditioas. 


result  amume  there  is  a 
of 


Agroement:  Every  correct  node  chooses  the  saine  value. 


Theorem  I:  Byzantine  agreement  is  not  possible  in  adequate  graphs. 

3J.  Number  of  Note 

Wc  begin  with  die  tower  bound  of  3m  4*  1  for  the  number  of  nodes  required  for  Byzantine  agreement 
Fust  consider  the  case  w^cre  JCJ  *  n  *  3  and  m  a  L  Assume  that  the  problem  can  be  solved  for  the 
communication  graph  G  consisting  of  three  nodes  folly  connected  by  communication  edges.  Let  the  three 
nodes  ofG  be  a,  b  and  c,  and  assume  that  they  run  agreement  devices  A,  BandC,  respectively.  We  represent 

die 

A— B— C 


The  covering  fnyh  S  is  as  follows. 


/ - 

il— v— 


•-X— y--x 


This  graph  looks  locally  like  G  under  the  mapping  p  defined  by  f(u)  *  p(x)  »  a,  p(v)  a  p(y)  =  band 
f(w)af(2)*C 


s 


Now  specify  the  system  by  assigning  devices  and  inputs  fix  the  nodes  in  S  as  follows. 

/ - \ 

A— B— C— A— B--C 
0  0  0  1  1  1 

By  this  we  mean  that  node  u  runs  device  A  with  input  0,  node  v  runs  B  with  input  0,  and  so  on.  Ixt  1 
denote  the  resulting  behavior  of  die  system;  1  includes  a  behavior  fix  each  of  the  six  nodes  and  twelve 
directed  edges  in  S. 


Now  consider  scenarios  f  .  f  and  f  in  £  where  each  consists  of  the  behaviors  of  the  two  indicated 

VW  WX  Xj 

nodes  in  S,  along  with  the  activity  over  the  two  connecting  edges.  We  argue  that  cadi  of  these  scenarios  is 
identical  to  a  scenario  in  a  correct  behavior  of  G. 

The  first  scenario  £w  is  shown  below. 


A--B — C — A — B — C  F — B--C 

00011  1  00 


This  scenario  is  the  behavior  in  *  of  nodes  v  and  w,  together  with  that  of  the  communication  edges  between 
v  and  w.  Now  consider  the  behavior  6^  of  G  in  which  node  b  runs  B  on  input  0,  node  c  runs  C  on  input  0, 
and  node  a  runs  a  device  (hat  mimics  node  u  in  talking  to  b,  and  mimics  node  x  in  talking  to  c.  Formally,  if 
Efo  V) 31,(1  „)  arc  the  indicated  edge  behaviors  in  £  node  a  runs  device  FA(E(u,v)  Fix.w>)  (we  have  written 

just  F  in  the  figure).  This  device  exists,  by  the  Fault  axiom,  and  in  the  resulting  behavior,  edges  from  node  a 
to  node  b  and  to  node  c  have  behaviors  and  E(x<W).  respectively.  By  the  Locality  axiom,  the  scenario 
containing  b  and  c’s  behaviors  in  is  identical  to  Validity  requirements  insure  that  node  b  and  node  c 
must  choose  0  in  6^  Since  their  behavior  is  identical  in  7,  v  and  w  choose  0  in  £ 

Next,  consider  scenario  S. 

WX 


t 

/ . \ 

A — B — C--A— 8 — C 
0  0  0  1  1  1 


A--F-- 
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This  scenario  includes  the  behavior  of  nodes  w  and  x  in  £  It  is  also  die  behavior  of  nodes  a  and  c  in  a 
behavior  82  of  G  which  results  when  they  run  their  devices  A  and  C  on  inputs  1  and  0,  respectively,  and  node 
b  is  faulty,  exhibiting  the  same  behavior  to  node  x  tliat  V  exhibits  to  w  in  £  and  the  same  behavior  to  node  a 
that  y  exhibits  to  x  in  £  The  behavior  of  node  c  in  62  b  identical  to  that  of  node  w  in  £  so  node  c  chooses  0  in 
Sy  Bom  the  argument  above.  By  agreement,  node  a  decides  0  in  S2.  Thus  node  x  decides  0  in  £ 


Now  consider  the  third  scenario,  J  , 


S 

/ - \ 

A — •— C — A — B — C 
0  0  0  1  1  1 


A— B— f 


1  1 


This  scenario  is  the  behavior  of  nodes  x  and  y  in  £  It  is  aiso  the  behavior  of  nodes  a  and  b  in  a  correct 
behavior  S}  of  G  which  results  when  they  both  run  their  devices  on  input  t,  and  node  c  is  faulty,  exhibiting 
the  same  behavior  to  node  a  that  w  exhibits  to  x  in  1,  and  the  same  behavior  to  node  b  that  z  exhibits  to  y  in  If. 
Validity  requirements  insure  that  nodes  a  and  b  must  choose  1.  Thus  nodes  x  and  y  choose  1.  But  we  have 
already  established  that  node  x  must  choose  0,  a  contradiction. 


Now  consider  the  general  case  of  |G|  =  n£3m.  Partition  the  nodes  of  G  into  three  sets,  a,  b  and  c,  so  that 
a.  b  and  c  have  at  least  1  and  at  most  m  nodes.  -This  means  that  any  two  sets  together  contain  at  least  n-m 
nodes.  The  nodes  in  each  set  are  running  agreement  devices,  and  wc  denote  by  A  the  set  of  devices  running 
at  the  nodes  in  a.  and  similarly  for  B  and  G  Now  construct  the  covering  graph  S  in  the  obvious  way.  Briefly, 
take  two  copies  of  G.  and  label  the  sets  a,  b  and  c  in  cadi  copy  by  u,  v  and  w,  respectively,  in  one  copy,  and  x, 
y  ami  z  in  die  other.  Now  replace  die  edges  between  nodes  in  u  and  w  and  between  nodes  in  x  and  z  by 
corresponding  edges  between  u  and  z  and  between  x  and  w.  Assign  devices  to  nodes  of  S  according  to  their 
corresponding  node  in  G.  We  represent  the  covering  graph  S  and  assigned  devices  exactly  as  above,  so  that 
the  edges  depicted  between  two  rets  of  nodes  in  S,  say  sets  u  and  v,  are  now  a  shorthand  representation  for  all 
the  edges  in  S  between  nodes  in  set  u  and  nodes  in  set  v.  The  inputs  depicted  for  the  sets  of  devices  A,  B  and 
C  are  assigned  to  all  the  devices  in  the  respective  sets.  The  arguments  proceed  exaedy  as  in  the  preceding 
pictures.  We  consider  only  one  in  detail 

J  8j 

/ - \  / . \ 

A--B--C--A--8--C  F--B--C 

0  0  0  1  1  1  0  0 

I - 1  I— -I 

This  scenario  is  now  die  behavior  of  the  sets  of  nodes  in  v  and  w  in  die  behavior  If.  It  is  the  same  as  the 
behavior  of  die  sets  b  and  c  in  a  behavior  6^  of  G  in  which  ail  nodes  in  both  sets  run  their  devices  with  input  0 
and  the  nodes  in  set  a  exhibit  the  same  behavior  to  members  of  b  that  the  corresponding  nodes  in  set  u  exhibit 
to  die  members  of  v  in  J,  and  the  same  behavior  to  nodes  in  c  that  the  corresponding  nodes  in  y  exhibit  to  die 
members  of  x  in  1.  Since  sets  b  and  c  together  contain  at  least  n-m  correct  nodes,  6]  is  a  correct  behavior  of 
G.  Thus,  all  die  nodes  in  b  and  c  must  decide  0,  by  the  validity  condition,  and  c  contains  at  leas  one  node,  by 


construction. 


3.2.  Connectivity 

Now  wc  carry  out  the  2m  +  1  connectivity  lower  bound  proof.  Let  c(G)  =  connectivity  of  G.  We  assume 
we  can  achieve  Byzantine  agreement  in  a  graph  G  with  c(G)  <  2m,  and  derive  a  contradiction. 

For  now,  we  consider  the  ease  m = 1  and  the  communication  graph  G  of  four  nodes  a,  b,  c  and  d,  running 

devices  A,  B,  C  and  D,  as  indicated  below. 

/ . \ 

|  / - \| 

A — B — C — 0 

The  connectivity  of  G  is  two;  the  two  nodes  b  and  d  disconnect  G  into  two  pieces,  the  nodes  a  and  c. 

*  Wc  consider  the  following  system,  with  the  eight-node  graph  S  and  devices  and  inputs  as  indicated. 


/ . \ 

,  /— ~\  / - \| 


A — B — C — 0 — A — B — C — 0 
0  0  0  0  1  1  1  1 

The  resulting  behavior  of  the  system  is  £  We  consider  three  scenarios  in  £  f2  and 


The  first  scenario,  Jj,  is  shown  below. 


/ . \  / . \ 

I  / . V  / - \|  |  / - \| 

A--B — C — 0 — A — B — C — 0  A — B — C — F 

000011  1  1  000 

I . I  I . I 

This  is  also  a  scenario  in  a  correct  behavior  of  G.  In  Sr  nodes  a,  b  and  c  are  correct.  Node  d  is  faulty, 
exhibiting  the  same  behavior  to  node  a  as  one  node  running  D  in  the  covering  graph,  and  die  same  behavior 
to  b  and  c  as  the  other  node  running  D  exhibits  in  the  covering  graph.  Then  nodes  a.  b  and  c  must  choose  0  in 
6^  and  so  must  the  nodes  running  A,  B  and  C  in  Jj. 

Now  consider  the  second  scenario,  fT 

* 

/ . \  / . \ 

I  / . \  / - \|  j  / - \| 

A — b — C — 0 — A--B — C — 0  a— F--C--D 

0  0  0  0  1  1  1  1  1  0  0 
I . I  .  hi  I— - 1 

This  scenario  in  1  is  also  a  scenario  in  a  correct  behavior  ?2  of  G  in  which  nodes  c,  d  and  a  arc  correct.  This 


time,  node  b  is  faulty,  exhibiting  die  same  behavior  to  nodes  c  and  d  as  one  node  running  B  in  die  covering, 
and  the  same  behavior  to  node  a  as  the  other  node  running  B.  So  nodes  a.  c  and  d  must  agree  in  8j.  and  so  do 
die  corresponding  nodes  in  Sr  Since  the  node  running  C  chooses  0  from  the  argument  above,  the  nodes 
running  D  and  A  in  Jf2  choose  0,  tea 
Finally,  consider  the  last  scenario  3r 


/ - \  / - \ 

,  / . \  / - \j  j  / - \| 

A — B--C — 0--A — 8 — C — D  A — B — C — F 

00001111  111 

I - 1  I . I 

This  scenario  is  again  the  same  as  a  scenario  in  a  behavior  8  3  of  G  in  which  nodes  a,  b  and  c  are  correct,  but 
have  input  1.  Node  d  is  faulty,  exhibiting  the  same  behavior  to  node  a  that  one  node  running  D  in  the 
covering  graph  exhibits,  and  die  same  behavior  to  nodes  b  and  c  as  the  other  D  in  die  covering  exhibits.  Then 
nodes  a,  b  and  c  choose  l  in  83.  and  so  must  the  nodes  running  A,  B  and  C  in  contradicting  the  argument 
above  that  the  node  running  A  chooses  0. 

The  general  case  for  arbitrary  c(G)  ^  2m  is  an  easy  generalization  of  die  case  form  =  1.  The  same  pictures 
are  used.  Just  choose  b  and  d  to  be  sets  consisting  of  at  most  m  nodes  each,  such  that  removing  the  nodes  in  b 
and  d  from  G  disconnects  two  nodes  u  and  v  of  G.  Let  G'  be  die  graph  obtained  by  removing  b  and  d  from 
G,  let  the  set  a  contain  those  nodes  connected  to  u,  and  die  set  c  contain  the  remaining  nodes  of  G’  (c  contains 
at  least  one  node,  v).  Construct  S  as  before,  by  taking  two  copies  of  G  and  rearranging  edges  between  the  V 
sets  and  their  neighbors.  The  nodes  and  edges  in  our  figures  arc  now  a  shorthand  for  the  actual  nodes  and 
edges  of  G  and  S. 

This  completes  the  proof  ofThcorem  1.  □ 

The  succeeding  impossibility  results  for  other  consensus  problems  follow  the  same  general  form  as  the  two 
arguments  above.  Wc  assume  a  problem  can  be  solved  by  specific  devices  in  an  inadequate  graph,  G,  install 
the  devices  in  a  graph  S  that  covers  G,  and  provide  appropriate  inputs.  Using  the  Locality  and  Fault  axioms, 
wc  argue  the  existence  of  a  sequence  of  correct  behaviors  of  G  that  have  node  and  edge  behaviors  identical  to 
some  of  those  in  the  behavior  of  S.  (This  sequence  was  (8j,  82,  83X  in  the  arguments  above.)  By  die 
agreement  condition,  correct  nodes  in  each  of  the  behaviors  of  G  have  to  agree.  Because  each  successive  pair 
of  system  behaviors  has  a  correct  node  behavior  in  common,  all  of  the  correct  nodes  in  aii  the  behaviors  in  the 
sequence  have  to  agree.  But  by  the  validity  condition,  correct  nodes  in  the  first  behavior  in  die  sequence  must 
choose  different  values  than  those  in  the  last  behavior,  a  contradiction. 


As  we  indicated  in  (he  introdiictiiMt.  a  less  general  version  of  Theorem  1  was  previously  known,  and  the 
structure  of  our  proof  is  defy  similar  to  that  of  carter  prooft  [PSLJ.  (1^>  Our  proof  differs  in  the  construction 
of  the  system  behaviors  Sj,  S2  and  Sj.  Barter  results  construct  these  behaviors  inductively,  in  less  general 
models  of  distributed  systems.  The  detailed  assumptions  of  the  models  are  necessary  to  carry  out  the  tedious 
and  tavolvcd  (constructions. 

Rather  than  construct  the  behaviors  explicitly,  we  build  them  from  pieces  (node  and  edge  behaviors) 
extracted  from  actual  runs  of  the  devices  in  a  covering  graph.  The  Locality  and  Fault  axioms  imply  th* 
scenarios  in  die  covering  graph  are  also  found  in  correct  behaviors  of  the  original  inadequate  graph. 

The  model  used  to  obtain  these  results  is  an  extremely  general  one,  but  it  does  assume  that  systems  behave 
deterministically.  (For  every  set  of  inputs,  a  system  has  a  single  behavior).  By  considering  a  system  and 
inputs  as  determining  a  set  of  behaviors,  nondeterminism  may  be  introduced  hi  a  stnughdbrward  manner. 
Ooe  changes  the  Locality  axiom  to  express  the  following;  if  there  exist  behaviors  of  two  systems  in  which  the 
inedge  borders  of  taro  isomorphic  subsystems  are  identical,  (here  exist  such  bchaviDn  far  Which  the  behaviors 
of  the  subsystems  are  also  identical  Using  this  axiom,  the  same  proofs  suffice  to  show  that  nondcterministic 
algorithms  cannot  guarantee  Byzantine  agreement. 

4.  Weak  Agreement 

Now  we  give  our  impossibility  results  for  the  weak  agreement  problem.  As  in  the  Byzantine  agreement 
case,  nodes  have  Boolean  inputs,  and  must  choose  a  Boolean  output  The  agreement  condition  is  the  same  as 
for  Byzantine  agreement-all  correct  nodes  must  choose  the  same  output  The  validity  condition  is  weaker, 
however. 

Agreement:  Every  correct  node  chooses  the  same  value. 

Validity:  If  all  nodes  are  correct  and  have  the  same  input,  that  input  must  be  the  value  choaen. 

The  weaker  validity  condition  has  an  interesting  impact  on  the  agreement  problem.  If  any  correct  node 
observes  disagreement  or  faulty  behavior,  then  all  arc  free  to  choose  a  default  value,  so  tong  as  they  still  agree. 

Lamport  notes  that  there  are  devices  for  reaching  a  form  of  approximate  weak  consensus,  which  work  when 
|G|  <|  3m.  Running  these  for  an  infinite  time  produces  exact  consensus  (at  the  limit)  [LJ.  In  such  infinite 
behaviors,  if  any  correct  node  observes  disagreement  or  fruity  behavior,  it  has  plenty  of  time  to  notify  the 
others  before  they  choose  a  value.  Dius,  strengthening  the  choice  condition,  to  prohibit  such  infinite 
solutions,  is  necessary  to  obtain  the  lowerbound. 
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Wp  must  step  bound  commimfcatioa  delays  away  from  zero,  or  a  similar  type  of  infinite  behavior  is 
peasiMe.  Io  ta  if  r^  gteunte  diem  is  no  lower  bound  ootmsmiKioa  delay,  and  thadevta 
delay  agd  have  synchronized  docks*  we  have  found  aa  algorithm  Ibr  reaching  weak  consensus.  This 
algorithms >  requires  i at  moil  two  broadcasts  per  node.  afl  with  nontero  tmnsmWon  delay,  and  works  with  any 
number  of  bolts.  Again,  this  h  became  any  conect  node  which  observes  dtagreemeat  or  faulty  behavior  has 
plenty  of  time  to  notify  the  others  before  they  choose  a  value.2  In  mote  rcaitedc  models  it  is  impossible  to 
teadi  week  consensus  in  inadequate  whs.  To  show  fob,  the  mhrimai  semantics  inteoduced  in  the  previous 
sections  mwi  be  extended  tp  eacinde  rh— »  sohtthws.  We  do  fail  as  fofiows.  Prcviouriv  behaviors 

of  nodes  and  edges  woe  elements  of  some  arbitrary  set  Henceforth,  we  consider  them  lobe  mappiapftan 
(0,«X  («tr  definition  ofthne),  to  arbitrary  state  sets.  Thus,  if  Eisa  behavior  of  node  u,  then  u  is  in  state  B(t) 
at  tune  L 

We  add  the  fallowing  condition  to  die  weak  agreement  problem. 

Choice:  A  correct  node  must  chooee  Oar  latter  a  finite  amount  of  time. 

This  means  there  is  a  Amcthm  CHOOSE  from  behaviors  of  nodes  running  weak  agreement  devices  to  {Oil}, 
with  the  following  property:  Every  such  behavior  E  has  a  finite  prefix  E^  (E  restricted  to  the  interval  (0,4) 
such  that  afi  behaviors  E'  extending  E{  have  CHOOSE(E)  »=  CHOOSER 

•  K( 

This  choice  condition  prohibits  Lamport’s  infinite  solution.  To  prohibit  the  second  solution,  we  bound  the 
rate  at  which  information  can  traverse  the  network.  To  do  so,  we  add  the  following  stronger  locality  axiom  to 
our  model. 


Bounded-Delay  Locality  Axiom 

There  exists  a  positive  constant  0  such  that  the  following  is  true.  Let  Q  and  Q’  be  systems 
with  behaviors  8  and  8',  respectively,  and  isomorphic  subsystems  <U  and  <U’,  (with  vertex 
sets  (J  aod  IT).  Ifthc  corresponding  behaviors  oftheinodge  borders  ofU  and  IT  in  8  and 
8'  are  identical  through  tunc  t,  then  scenarios  8U  and  8^  arc  identical  through  dme  t+8. 

Thus.  news  of  events  k  edges  away  from  some  subgraph  G‘  takes  time  at  least  kd  to  arrive  at  O*.  In  a  model 
with  explicit  messages,  this  axiom  could  be  proven  from  an  assumption  that  the  transmission  delay  is  at  least 
8,  and  the  edge  behaviors  in  our  model  would  correspond  to  state  descriptions  of  the  transmitting  end  of  each 
communications  link. 


2NedwMMMtkaa0ianddedde«WML  They  braadca*  Adr  value  « lime  0.  spcrifrtai  k  to  arrive  M  tkne  l/l  tTaaodaflat 
dcnaadkutieewcaiar  tetare  (at  tkwel-t>.XbwadCMBi  a  *teltt>  detected.  chooaeddkMa  veto*  wasMae.n»aetfitaiSwantvaM  Owe 
l-t/1  The  abview  rtnrUica  ■  wade  by  waiyww  at  time  L 
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Psanfc  The  proof  it  an  cosy  induction  using  ll»e  Bounded-Delay  Locality  axiom.  □ 

By  Lemma  X  die  nodes  running  devices  C  and  A  in  scenario  ?k  have  behaviors  identical  to  He  and  Et 
through  thoe  ll  Since  nodes  c  and  a  hi  G  have  chosen  output  0  by  (his  time,  so  have  the  correspow^ang 


There  are  stwrngslmamiticsbctwcwtimargMmiot  and  a  proof  by  AagMn.coaccnriag  lender  ejections  in 
rings  and  arbitrarily  toaglnes  of  pcoccsson  [AJ.  Both  route  d$ead  cradaBy  on  the  existence  of  a  tower 
bound  on  the  rate  of  inform  nion  flow.  Under  dds  nmumptioa.  devices  in  different  communication  nctworia 
can  be  shown  to  see  the  same  local  behavior  far  some  (tad  tee. 

&  Byzantine  Firing  Squad 

The  Byzantine  firing  squad  problem  addresses  a  fora  of  synchroniiadoo  in  (he  presence  of  Byzaodne 
failures.  11k  problem  is  (o^nchtooisn  a  responae  to  an  input  sdrnuloi.  The  response  is  a  enter  a  designated 
FIRE  state.  The  problem  was  studied  originally  in  (BL).  In  fCDDSl  a  reduction  of  weak  agreement  to  the 
Byzantine  firing  squad  problem  demonstrates  that  die  latter  is  impossible  to  solve  in  inadequate  graphs.  We 
provide  a  direct  proof  that  a  simple  variant  of  the  original  problem  is  impossible  to  solve  in  inadequate 
graphs.  (In  the  original  version,  the  stimulus  cm  arrive  it  any  time.  We  require  it  to  arrive  at  dmeOL  or  not  at 
alL  Our  validity  condition  a  slightly  different)  The  proof  is  very  similar  to  that  for  weak  agreement. 

One  or  more  devices  may  receive  a  stimulus  at  time  0.  We  model  the  stimulus  as  an  input  of  1,  and  absence 
of  the  stimulus  as  an  input  of  0.  Correct  executions  must  satisfy  the  following  conditions. 

Agreement:  If  a  correct  node  enters  the  FIRE  state  at  time  t,  every  correct  node  enters  the  FIRE  state  at 
time  L 

Validity:  If  ail  nodes  are  correct  and  the  stimulus  occurs  at  any  node,  they  enter  the  FIRE  state  after  some 
finite  delay.  If  the  stimulus  .does  not  occur  and  all  nodes  are  correct,  no  node  ever  enters  the  FIRE  state. 

As  in  the  case  of  weak  agreement,  solutions  to  the  Byzantine  firing  squad  problem  exist  tat  models  in  which 
there  is  no  minimum  communication  delay.  Thus  the  following  result  requires  the  Bounded- Delay  Ixndity 
axiom,  in  addition  to  foe  Fault  axiom. 

Theorem  4:  The  Byzantine  firing  squad  problem  cannot  be  solved  in  inadequate  graphs  for 
models  satisfying  foe  Bounded- Delay  locality  axiom. 


1  node  ^(p^5  n«3,m*  L 

.  ■  ‘‘  %['"  ■'  -  "'■*?■  ;■-  . 

Aamme  dim  arc  Byzantine  firing  squad  devices  A,  B  and  C  for  the  triangle  graph  G  containing  nodes  a.  b 

aadc.  Conskta  the  two  bchavioftefOin  whkhafi  nodes  arc  correct,  aodaH  have  input  Oor  all  have  input  L 
Let  t  be  the  time  at  which  the  correct  devices  enter  the  F1KE  state  in  the  case  that  the  stimulus  occurred  (the 
input  lease).  Stare  the  corrcct  aodes  never  rotcr  the  FIRE  stare  in  the  absciKe  of  the  tttmulus,  they  certainly 
do  not  carer  the  FIRE  wale  at  timet.  Choose  k  J>  t/fi  to  be  a  multiple  of  3.  (RocaB  that  I  ii  (be  minimum 
traawnhrioo  defay  defined  in  the  Bounded-Delay  Locality  adorn). 

The  covering  graph  S  consists  of 41  nodes,  arranged  to  a  ring  and  assigned  devices  and  inputs  aa  Mows: 

/ - -•-•-••• — - — . — . . ......... - - — 

A--B--C. .  .1— C— A— B. .  .A— B~C— A--8--C. .  .8— C— A — 8. .  .A--B--C 

BOB  0  0  0  0  BBBI11  til  l  111 

Similarly  to  the  proof  for  weak  agreement,  the  middle  two  devices  receiving  the  stimulus  eater  (be  FIRE 
stale  at  time  t,  as  their  behavior  through  time  t  is  the  same  as  that  of  die  correct  nodes  Is  G  which  haw 
received  the  stimulus  and  fire  at  time  l  Because  of  fternmmuairrt  on  dehy,  there  h  act  enough  time  tar 
"news"  from  the  distant  nodes  to  reach  them  devices.  By  repealed  use  of  the  agreement  property,  aB  the 
devices  in  S  must  fire  at  tfanet  But  through  timet,  the  ntiddfetwodevires  not  laceiviafi  die  stimulus  behave 
exactly  as  correct  nodes  in  G  which  do  not  receive  the  stimulus  (the  input  0  case).  Thus  they  do  not  lire  at 
time  t,  a  contradiction.  □ 

6.  Approximate  Agreement 

Next,  wc  turn  to  two  versions  of  the  approximate  agreement  problem  [DLPSW.MSJ.  Wc  call  them  simple 
approximate  agreement  and  (».t,y)-agreemenL  In  these  problems,  nodes  have  real  values  as  inputs  and 
choose  real  numbere  as  a  result  The  goal  is  to  have  the  results  ckne  to  each  other  and  to  the  inputs.  In  order 
to  obtain  the  strongest  possible  impossibility  result,  we  formulate  very  weak  versions  of  the  problems. 

For  the  foliowing  two  theorems  we  use  only  the  Locality  and  Fault  axioms.  We  do  not  need  the  Bounded- 
Delay  Locality  axiom  used  lor  the  weak  agreement  and  firing  squad  remits. 

6.1.  Simple  Approximate  Agreement 

Rnt,  wc  turn  to  the  simple  approximate  agreement  problem  (DLPSW).  The  verrion  we  examine  is  based 
on  that  in  [DLPSW).  Each  correct  node  has  a  retd  value  from  the  interval  (0,1]  as  input,  tuns  its  device  and 
chooses  a  real  value.  Correct  behavior*  (those  in  which  at  least  n  •  at  nodes  are  correct)  must  satisfy  the 
tot  lowing  conditions. 
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the  maximum  difference  between  the  inputo,  or  be  equal  to  the  latter  difference  if  it  is  zero. 

VaBdityt  Each  comet  node  chooses a  value  within  the  range  of  the  inputs  of  the  nndes. 

Tbeerem  fe  Staple  approximate  agreement  h  not  possible  in  inadequate  graphs, 

11*  proof  is  ahm*  exactly  feat  for  Byzantine  agreement  Here,  we  cooskkr  devices  which  take  as  inputs 

numbers  from  the  interval  (0.1),  and  choose  a  value  from  |0,1)  to  output  (Outputs  are  nodded  by  a  (Unction 

CHOOSE  tom  behaviors  of  nodes  running  the  devices  to  toe  interval  fO.lJ.)  As  before,  assume  simple 

approximate  agreement  cm  be  reached  in  toe  triangk  graph  G.  Cooskkr  toe  following  three  scenarios  from 

toe  indicated  behavior  to  the  covering  fiaph  S. 

/ - V 

A — • — C — A — • — C  v 

,  0  0  0  1  l  1 


Again,  each  scenario  is  abo  a  scenario  in  a  correct  behavior  of  G.  In  toe  Am  scenario,  the  only  value  C  can 
choose  is  0.  In  toe  third,  toe  only  value  A  can  choose  is  1.  This  means  toe  values  choaen  by  A  and  C  in  the 
toe  second  scenario  are  0  and  1,  so  that  toe  outputs  are  no  doaer  than  toe  inputs,  mining  toe  agreement 
condition. 

The  general  case  of  |G|  3m  ami  the  connectivity  bounds  follow  as  for  Byzantine  agreement 
6J.(,,S  Agreement 

This  venion  of  approximate  agreement  is  based  on  that  in  [MSJ.  Let  a,  I  and  y  be  positive  teal  numbers. 
The  correct  nodes  receive  real  numbers  as  inputs,  with  r^  and  r^  toe  smaQest  and  largest  such  inputs, 
respectively.  These  inputs  are  all  at  most  8  apart  (Le.  toe  interval  of  inputs  (r^.  rj  has  length  at  mast  A). 
They  must  choose  a  real  number  as  output,  such  that  correct  behaviors  (those  in  which  at  least  n  -  m  nodes  are 
correct)  sadsiy  toe  following  conditions. 

Agreement:  The  values  chosen  by  correct  nodes  are  all  at  most  s  apart 

Valkfity:  Each  correct  node  chooses  a  vahie  in  toe  interval  lrBta*r.r|niB  +  yJ- 

Noes  that  if «  £  8,  («, disagreement  out  be  achieved  trivially  by  choosing  toe  input  value  as  output 
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>  Hmwfc  lf«<B.U.B.y)agrocracnti»nrapaclblciainadcqua>cgraplts. 

I 

Preufc  let  «,  Sandy  be  positive  real  numbers  withe  <4.  We  prove  only  die  Jm+1  bound  on  the  number 
of  nodes.  Assume  that  devices  A,  Band  C  exist  which  solve  the  (e.S.Y>-appn>ximaic  agreement  problem  in 
the  complete  graph  0  on  dime  nodes,  for  particular  values  of «.  B  and  y,  whew  a  <  !. 

Choose  jt  sufficiently  targe  that  B  >  2yAk-l)  +  e,  and  k+2  is  divisible  by  throe.  The  covering  graph  $ 
contains  k+2  nodes  arranged  to  a  ring,  with  devices  and  inputs  assigned  to  create  the  following  system. 

/ - - - \ 

A — — B~  ...  —  B - C 

node  0  1  . . .  k  k+1 

Input  OB  kl  (k*l)B 

Let  ypforO£i£k,  denote  the  two-node  scenario  in  7  containing  the  behaviors  of  nodes!  and  1+L  fly 
the  Fault  Axiom,  each  scenario  1  is  a  scenario  ofa  correct  behavior  of  G,  in  which  die  large*  input  value  so  a 
correct  node  is  (i+l)B. 

Leuuna  7;  For  0  £  i  £  k,  die  value  chosen  by  Ok  device  at  node  i+ 1  is  at  moat  t  +  7  +  la. 

Prooft  The  proof  is  a  simple  induction.  The  device  at  node  1  chooses  at  oott  B  +  y.  by  validity  applied  to 
scenario  Tg.  Assume  inductively  that  die  device  at  node  ichoosesat  most  I  +  y  +  G-l)«.forO<i<k+L  By 
agreement  applied  to  scenario^,  the  device  at  node  i+ 1  chooses  at  most  B  +  y  +  ie.  □ 

In  particular,  Lemma  7  implies  the  device  at  node  k  chooses  at  most  B  +  y  +  (k-l)e.  But  validity  applied 
to  scenario  ?k  implies  the  device  at  node  k  chooses  at  least  kB*y.  SokB-y£B  +  y  +  (k-l)e.  This  implies 
B  <,  2y/(k-l)  +  «,  a  contradiction. 

The  general  case  of  |G|  jg  3m  and  die  connectivity  bounds  follow  as  in  previous  proofk.  □ 

7.  Clock  Synchronization 

Each  node  has  a  hardware  clock  and  maintains  a  logical  dock.  The  hardware  clocks  are  real- valued, 
invertible  and  increasing  functions  of  time.  In  general  different  hardware  docks  ran  at  different  rases,  and 
•  the  nodes  wtah  to  synchronize  their  logical  docks  more  closely  than  their  hardware  clocks.  We  also  want  the 
logical  docks  so  be  reasonably  dose  to  real  time-setting  them  to  be  constantly  zero  should  probably  be 
forbidden.  Thus,  we  require  the  logical  docks  to  stay  within  some  envelope  of  the  hardware  dock* 

This  problem  was  studied  in  [DHS]  for  the  case  of  linear  clock  and  envelope  functions,  where  R  was  shown 
that  it  is  knposribte  to  synchronise  to  within  a  constant  in  inadequate  graphs.  Some  questions  concerning 
more  general  synchronization  problems  were  raised.  It  was  pointed  out,  for  example,  that  diverging  linear 


We  saodd  node  i't  hardware  clock,  D{,  as  aa  Input  so  die  device  at  node  i  that  has  value  D^t)  at  toe  L  the 
value  of  the  hardware  dock  at  time  thmumed  to  be  pit  of  the  stale  ofdie  node  at  timet.  The  toe  on  node 
fstogMclockatred  time  t  is  fivtt  by  e  fonctioa  of  the  entire  stale  of  node  L  Thus,  if  E,  is  a  behavior  of 
node  i  (such  that  node  i  is  m  state  F^t)  at  time  0,  then  we  express  f  s  logical  dock  value  at  time  t  as  C^OX 

We  sms  that  tty  aspect  of  the  sya?an  which  is  dependent  upon  time  (such  as  transmission  delay, 
minimum  step  time,  maximum  rate  of  message  transmission)  is  a  Auction  of  the  stales  of  die  hardware  docks. 
Having  made  this  aammptioo,  it  is  dear  that  speeding  up  or  dowiag  down  the  hardware  docks  uniftmnly  is 
different  behaviors  cannot  be  obscfvhbk  to  the  nodes,  so  the  only  impact  os  the  behavion  timuM  be  that  they 
speed  up  or  slow  down  is  fee  same  way  as  the  hardware  docks. 

To  formaftze  this  assumption,  we  seed  to  talk  about  scaling  docks' and  behaviors.  Let  h  be  any  invcnMe 
function  of  toe.  IfE  is  a  behavior  (of  a  edge  or nodeX  then  Eh,  the  behavior  B  scaled  ly  h,  is  such  that 
Eh(t)sE(h(t)X  for  aB  times  t  Similariy.Dhii  the  hardware  dock  Dscsdcd  by  h:  Dh(t)«D(h(0X  lf*ha 

system  behavior  or  scenario,  Ch  is  the  system  behavior  or  scenario  obtained  by  scaling  every  node  and  edge 
behavior  in  6  by  h.  Simiiarty,  if  ?  is  a  system,  then  3h  is  the  system  obtained  by  scaling  evety  dock  in  T  by  h. 
Intuitively,  a  scaled  dock  or  behavior  is  in  the  state  at  time  t  that  the  corresponding  unsealed  dock  or 
behavior  is  in  at  time  h(iX 

Seating  Axiom  If*  is  fee  behavior  of  system?,  then  this  the  behavior  of  system  ft.  □ 

If  this  axiom  is  significantly  weakened,  as  by  bounding  die  transmission  delay,  dock  synchronization  may 
be  poadble  in  inadequate  graphs. 

In  the  following  we  use  the  Locality,  Fault  and  $caliag  axioms.  We  do  not  need  the  Bounded-Delay 
locality  axiom  used  for  the  weak  agreement  and  firing  squad  results. 

The  synchronization  problem  can  be  stated  as  follows.  Let  correct  hardware  clocks  run  either  at  f(t)  or  g(tX 
where  f  and  g  arc  increasing,  invertible  functions,  with  fl[t)  £  g(tX  for  alU  Let  the  envelope  functions  1  and  u 
be  nootkerming  fonctkws  such  that  i(t)  u(tX  for  all  t 


Conddrr  what  happens  if  everyone  nms  thdr  logical  docks  at  the  lower  envelope.  QE(t))«KD(t)X  Then 
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die  b|ial  dads  are  synchwnixcd  to  within  Kg(t)H(ftJ)i  The  foal  then,  fa  to  improve  this  trivial 
syadwursfaaiioo.  We  show  dun  facial  docks  cannot  be  synchrooixcd  to  within  KgtOHCfOhi,  for  any 
podtiven. 


Thai  fa.  nsntrivhl  cwdnonbaUeo  fa  achieved  by  synchroouadon  devices  in  G  if  there  exist  positive 
constant «  and  tinm  ( such  that  every  correct  system  behavior  f  satisfies  the  foflowioi  conditions. 

Agreement:  For  any  two  comet  nodes  I  and  j  hit, 
|Cl(H^t))-C^tM|^l(|(t»-l(dt))-«.feraBdniest^ir. 

Validity:  For  any  correct  node  i  in  S,  widi  hardware  dock  D(  and  resulting  behavior  Ej,  ff0)  ^  C^t)) 

£u«0). 

TheosmfcNontrivfal  synchronisation  fa  not  possfcte  in  inadequate  graphs  for  models  satisfying 
the  Seating  axiom. 

We  show  that  for  every  hnefer  k>2.  there  fa  a  behavior  C  of  O  in  which  node  i  fa  comet,  has  hardware  dock 
Dj  *  f  (that  is,  D^(t)  «  ft®,  and  in  which  C^E^O)  £  KfO)  +  kw.  Fork  big  enough,  thfaviobnes  the  upper 
envelope  condition.  CfEflM  £  tfgftft 

Define  h  *  f*1*.  (That  is.  h(t)  *  r\ g(t)X)  Theah'1  *  g'lt  Note  that  h(t)  £  t  for  all  t.  since  ft)  £  *0. 

Wc  begin  with  the  three  node,  ooc  fault  case.  Tire  argument  fa  very  similar  to  die  pieof  of  Theorem  & 

Assume  the  existence  of  devices  A,  B  and  C,  time  f  and  positive  constant  a  such  that  logical  docks  of 
correct  nodes  obey  the  agreement  and  validity  conditions: 

IW))  -  Cj(Ej(t))(  £  m))  -  K  f 0)  * «,  for  *fl  tores  t  £  f . 

KfO)  £  C(Ej(t))  £  u(K0X  foriildmest. 

Choose  an  integer  k  >  2,  such  that  k+2  fa  a  multiple  of  three,  and  Rich  that  KfO)  +  kn  >  u(g(0).  The 
covering  graph  S  contains  k+2  nodes  arrangod  in  a  ring,  with  devices  and  dock  inputs  asrigned  to  crease  the 
following  system. 
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/« - \ 

A - 8—  . , .  — g - — c 

nod*  0  I  ...  k  k+1 

clock  g  gh"*  ...  gh‘k  gh*<k+1> 
behavior  E|  E^  E^| 

Let  2f  be  die  behavior  of  dtis  system.  Aa  initiaBy  troubling  concern  is  that  the  hardware  clocks  in  faro 
much  slower  in  most  of  the  devices  in  the  ?  than  they  would  be  in  a  correct  behavior  in  G.  But  consider  !fr 
the  two-node  scenario  containing  die  behaviors  of  nodes  i  and  1+ 1,  where  0  £  I  ^  k. 


node 

•  ••  A  8  see 

i  1*1 

hardware  clocks 

gh-‘  gh  1W) 

resulting  behavior 

Now  condtler  Sft,  the  scenario  J,  scaled  by  h1. 

node 

A  B  see 

1  M 

hardware  clocks 

%  f 

resulting  behavior 

In  this  scenario,  the  hardware  docks  have  values  within  the  constraints  for  cornet  behaviors  of  G.  Thus  we 
have  the  folio  wing. 

Lemma  k  Scenario  Xh1,  for  0  <j  i  £  k,  b  a  scenario  containing  the  behaviors  of  two  correct 
nodes  in  a  correct  behavior  of  O. 

Lemma  lfcFor  all  i,  0  £  i  £  k,  and  all  t  >  (C,+l(E+.(t))  -  C.(E(t))|  £  KgOAt))) . 

Prooft  Fh  t  J>  hty).  Then  h^t)  ^  t*.  By  Lemma  9.  i  and  i+1  an  correct  in  ^h1,  so  by  die  agreement 
‘  assumption  |CI+1(El+1hl{h*,(t)))  *  CfP^Wm  £  Kgrt)))  •  KKh^t)))  - «.  The  result  b  immediate.  □ 

Let  time  t”  *  hV).  Note  that  t"£h'(0.  forint 

Lemma  11:  For  aU  U  £  i  £  k+1,  CfEfiT))  £  Kgh<°(0)  +  (H>« 

Pnwft  The  proof  b  by  induction  on  l  By  Lemma  9,  scenario  f0b  a  scenario  in  G  of  correct  nodes  a  and  b. 


with  hardware  docks  g  and  f.  respectively.  From  the  validity  condition,  for  all  t.  Cj(Kj(t))  £  KUO).  Setting  t 
*  f.  and  substituting  gh'1  for  t  we  have  the  basis  step:  Cfl&jHI  £  Kgh'l(t")). 

Now  make  the  inductive  assumption  C^t"))  ^  Kgh"V))  +  (i*l)o,  for  1  ^  i  ^  t 

Since  r  Js  hHa  from  Lemma  10.  we  know  j(E,+1(0)  *  C^ON  £  KtfV))  *  KfoV))  - «. 

TWsimplicsC|+l(F1+1(0)^  C^t*))  -  KghV))  +  Kfo^t"))  +  «• 

Substituting  for  CflEfD)  using  theJnductive  assumption  gives  us  C{+  t(E|+  ^O)  >  Kgh*Ht"))  -  Kgh^t")) 
+  Kfo^O)  +  <<*  =  Kfo^t**))  +  ia.  Noting  that  f  *  gh'1.  we  have  the  result,  Ci+l(F1+1(0)  ^ 
Kglffl+Oo +  !<*.□ 

ProofofTheorcm8: 

Lemma  11  implies  Ck+1(Ek+l(f*))  £  Kgh<k+1\t"))  +  ka.  Since  t"  =  hk(0,  we  have  Ck+1(Ek+1(t"))  * 
Ck+ A+i^O))  =  Ck+i(Ek+1hl(0)  *  Kgh'<k+1V(t*))  +  ka  =  KAO)  +  k«. 

But  the  upper  envelope  constraint  for  the  scaled  scenario  ?khk  (in  which  k+1  is  correct  and  has  hardware 
dock  ftt))  implies  that  Ck+1(Ek+lhk(0)  ^  u(g(0).  ITtus,  KAO)  +  ka  <J  u(g(t’)).  This  violates  the  assumed 
bound  on  k,  KAO)  +  k«  >  u(g(OX 

Once  again,  the  general  case  of  |G|  ^  3m  is  a  simple  extension  of  this  argument.  The  connectivity  bound 
also  follows  easily,  as  with  the  earlier  results.  □ 

7.1.  Linear  Envelope  Synchronization  and  other  Corollaries 

Linear  envelope  synchronization,  as  defined  in  [OHS],  examines  the  synchronization  problem  when  the 
clocks  and  envelope  functions  are  linear  functions  (g(t)=rt,  fit)=t,  K0=at+b  and  u(t)=ct+d).  It  requires 
correct  logical  clocks  to  remain  within  a  constant  of  each  other,  so  that  the  agreement  condition  is  JC^Rjlt))  > 
CfBfW  £  a,  for  all  times  t,  instead  of  our  weaker  condition  |Ci(El(t>>  *  Cj(Ej(t))|  ^  art  -  at  -  a,  for  all  times  t 
^  f.  Our  validity  condition  is  slightly  weaker,  as  well  Thus,  the  proof  of  [DHS]  shows  that  logical  docks 
cannot  be  synchronized  to  within  a  constant;  we  show  that  that  the  synchronization  of  logical  clocks  cannot  be 
improved  by  a  constant  over  the  synchronization  (art  *  at)  that  can  be  achieved  trivially.  •  Thus  the  following 
corollary  follows  immediately  from  Theorem  8.  (Bach  of  the  four  corollaries  below  holds  for  models 
satisfying  the  Scaling  axiom.) 

Corollary  12:  Uncar  envelope  synchronization  is  not  possible  in  inadequate  graphs. 


We  also  get  Ac  following  results  immediately  from  Theorem  8,  by  chousing  specific  values  for  the  clock 
and  lower  envelope  functions.  Note  that  the  particular  choice  of  the  upper  envelope  function  docs  not  affect 
the  minimal  synchronization  possible  in  inadequate  graphs,  although  the  existence  of  some  upper  envelope 
fonction  is  necessary  to  obtain  our  impossibility  prooft. 

Corollary  13:  If  f(t)=t,  g(t)=rt  and  Xt)saC+b,  no  devices  can  synchronize  a  constant  closer 
than  art-aim  inadequate  graphs. 

CoroUary  14:  If  g(t)=t+c  and  X0=*i+b,  no  devices  can  synchronize  a  constant  closer 
than  ac  in  inadequate  graphs. 

Corollary  IS:  If  fl(t)=t,  g(t)=rt  and  Xt)=k>g2(t),  no  devices  can  synchronize  a  constant  closer 
than  logjCr)  in  inadequate  graphs. 

In  general,  the  best  possible  synchronization  in  inadequate  graphs  can  be  achieved  without  any 
communication  at  all.  The  best  nodes  can  do  is  run  their  logical  clocks  as  slowly  as  they  arc  permitted,  C(E(t)) 
* 

8.  Conclusion 

Most  of  the  results  we  have  presented  were  previously  known.  Our  proofs  are  simpler  than  earlier  proofs, 
and  hold  in  more  general  models,  but  this  is  not  their  main  contribution.  While  simplicity  and  generality  are 
important  goals,  in  this  instance  they  are  the  welcome  byproduct  of  our  attempt  to  identify  the  fundamental 
issues  and  assumptions  behind  a  collection  of  similar  results. 

One  important  contribution  is  to  elucidate  the  relationship  between  the  unrestricted,  or  Byzantine  failure 
assumption,  and  inadequate  graphs.  As  is  dear  from  our  proofe,  this  fault  assumption  permits  faulty  nodes  to 
mimic  executions  of  disparate  network  topologies.  If  the  network  is  inadequate,  a  covering  graph  can  be 
constructed  so  that  correct  devices  cannot  distinguish  the  execution  in  the  original  graph  from  one  in  die 
covering  graph. 

A  second  contribution  is  related  to  the  generality  of  our  results.  Nowhere  do  we  restrict  state  sets  or 
transitions  to  be  finite,  or  even  to  reflect  the  outcome  of  eflbctive  computations.  The  inability  to  solve 
consensus  problems  in  inadequate  graphs  has  nothing  to  do  with  computation  per  sc,  but  rather  with 
distribution.  It  is  the  distinction  between  local  and  global  state,  and  the  uncertainty  introduced  by  the 
presence  of  Byzantine  faults,  which  result  in  this  limitation. 

Finally,  we  have  identified  a  small,  natural  set  of  assumptions  upon  which  the  impossibility  results  depend. 


For  example,  in  die  ease  of  weak  agreement  and  the  firing  squad  problem,  the  correctness  conditions  arc 
sensitive  to  the  actions  of  faulty  nodes.  Instantaneous  notification  of  the  detection  of  fault  events  would  allow 
one  to  solve  these  problems.  Ah  assumption  that  there  arc  minimum  delays  in  discovering  and  relaying 
information  about  faults  is  sufficient  to  make  these  problems  unsolvablc. 
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